Posted by J.O. Aho on 05/27/07 09:33

_mario.lat wrote:
> I use PHP and I'd like to not write in hardcoded way password
> and login to access to mysql.
> how to not write password in code for access to mysql?
> How can I do?
> I'd like that who see my code don't see my paswords.
> there is a solution?

I assume you use a Unix like system for your server.

I assume you have your PHP scripts in ~/public_html

Then you can create a directory ~/mypasswords

Now you can create the following file

--- ~/mypasswords/mysql.log.data.php ---
<?PHP
$mysql_login="loginname";
$mysql_passw="secretpass";
$mysql_host="localhost";
$mysql_database="mydb";
?>
-- eof ---

Now in your php script that users can surf to

--- ~/public_html/index.php ---
<?PHP
require_once('../mypasswords/mysql.log.data.php');
mysql_connect($mysql_host, $mysql_login, $mysql_passw);
mysql_select_db($mysql_database);

//and so on...
?>
--- eof ---

Even if there would be a misconfiguration, and the PHP engine would be
disabled, and the code is displayed in raw, no one will be able to see the
login/password/host/database in your code, just see to that the user who is
running the web server has the privileges to read the
~/mypasswords/mysql.log.data.php, but don't make the directory publicly
available on the net (no symlinks to the file or directory in your ~/public_html).

--

//Aho

[Back to original message]